Is a Windows 2003 Terminal Service session secure without a VPN connection?

I need to connect two small offices over basic cable broadband connections.  The staff in office A will have a Windows 2003 Server w/ Terminal Services to host a series of applications and files.  The staff in office B will log in via terminal services to their accounts and use the applications/files.  

Is the terminal service connection (from login to logout) secure so that a VPN connection is not needed?  Are there any printing gotchas/concerns over terminal services which I should prepare for?

Other details:
- offices will merge to one single office space in one year (this office to office connection is temporary)
- at times staff may log into terminal service session from home
- both offices currently only have basic cable broadband internet access
- all printing will be local to the office where the user is located (users in office B will need to be able to printers local to the office B network; users in office B will not need to print to office A printers)
- offices are not in line of sight and are 10 miles apart
Who is Participating?
Cláudio RodriguesFounder and CEOCommented:
This is a question that people will debate all over and have different opinions on the answer. Here you have my own (and I know some here will probably bash me...).
RDP by itself is encrypted. The thing is, due to the way Microsoft implemented the encryption keys, it is subject to man in the middle attacks.
The thing is, all these years working with TS I am still to see one single customer that had a TS hacked when exposed to the internet. Not a single one.
So, do I think a VPN is needed? No.
You can implement, if you are paranoid, SecureRDP on the TS (freeware from, that we developed before they acquired my company, Terminal-Services.NET) and customize the RDP client to have your own, unique version number and filter by that. Check this article I wrote:

And you can always install RecordTS on the terminal server (another software we wrote, now under my new company, and record everything that happens at the RDP level (in case you want to record someone trying to hack your TS).

For printing, a couple things to keep in mind:
1. Try to get a printer that is supported by native, out-of-the-box Windows Server 2003 drivers (meaning the drivers shipped with the OS, not requiring anything to be installed). These will work for sure.
2. Avoid host based printers (the ones that use the PC to do all the work normally done by the printer hardware).
3. Avoid as much as you can loading ANY printer driver on the TS UNLESS you have no other option.
4. Consider a product like UniPrint, SimplifyPrint or ThinPrint. They sure cost money BUT will save you a LOT of headaches with printing on TS.

And to wrap this up, TS is pretty good with bandwidth utilization BUT make sure your links are not heavily used for things like web browsing, email etc otherwise RDP will have to compete with everything else and performance will suffer.


Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services

dandacciAuthor Commented:
Thank you Claudio (tsmvp).  Your answer was clear and very helpful.  The printing might get tedious.  I will follow up on your suggestions.  Thank you again!!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.